System Administration & Network Administration
- networking tcp wireshark java tshark
- Updated Tue, 12 Jul 2022 16:16:18 GMT
-
How to use tshark to do this task
I don't have any base knowledge about tshark, and it is hard to find any tutorial to help me with this.
So now I have a pcap file which consists a lot of network flows; a time range; an ip addr; a tcp port number; the number of packets sent by the ip addr OR the number of packets received by the ip addr.
What I want to do is that first I let tshark to read from that pcap file, and then use the time range to filter out all the network flows that are in that time range, and then use the ip addr to filter out all the network flows from that ip addr on that already-filter-out-by-time flows, and then use the tcp port number and the number of packets sent/received by the ip addr to finally locate the flow I want. Then follow this flow/stream and save the whole conversation to a new pcap file.
Anyone can help? I'll be very very appreciate it.
Solution
What I want to do is that first I let tshark to read from that pcap file, and then use the time range to filter out all the network flows that are in that time range
You should do it with editcap:
$ editcap -A "2011-07-12 09:49:16" -B "2011-07-12 09:49:20" in.pcap out.pcap
and then use the ip addr to filter out all the network flows from that ip addr, and then use the tcp port number and the number of packets sent/received by the ip addr to finally locate the flow I want.
$ tshark -r out.pcap -R "ip.addr == $IP && tcp.port == $PORT"
Then follow this flow/stream
$ tshark -r out.pcap -R "ip.addr == $IP && tcp.port == $PORT" \
-T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport | \
while read line; do tshark -r out.pcap \
-R "ip.addr == `echo $line | awk '{ print $1 }'` && \
tcp.port == `echo $line | awk '{ print $2 }'` && \
ip.addr == `echo $line | awk '{ print $3 }'` && \
tcp.port == `echo $line | awk '{ print $4 }'`" \
echo \
done
External Links
External links referenced by this document: